Building Secure Servers with Linux, O'reilly

Building Secure Servers with Linux, O'reilly

Now pay Easier and Secure using Paypal

Read more

E-book Shop
Building Secure Servers with Linux

By Michael D. Bauer

Computer security can be both discouraging and liberating. Once you get past the horror that comes with
fully grasping its futility (a feeling identical to the one that young French horn players get upon realizing  no
matter how hard they practice, their instrument will continue to humiliate them periodically without warning), you realize that there’s nowhere to go but up. But if you approach system security with:
· Enough curiosity to learn what the risks are
· Enough energy to identify and take the steps necessary to mitigate (and thus intelligently assume) those risks
· Enough humility and vision to plan for the possible failure of even your most elaborate security measures you can greatly reduce your systems’ chances of being compromised. 
At least as importantly, you can minimize the duration of and damage caused by any attacks that do succeed. 
This book can help, on both counts..

What This Book Is About
Acknowledging that system security is, on some level, futile is my way of admitting that this book isn’t
really about "Building Secure Servers."[] Clearly, the only way to make a computer absolutely secure is to disconnect it from the network, power it down, repeatedly degauss its hard drive and memory, and pulverize the whole thing into dust. This book contains very little information on degaussing or pulverizing. However, it contains a great deal of practical advice on the following:
[] My original title was Attempting to Enhance Certain Elements of Linux System Security in the
Face of Overwhelming Odds: Yo’ Arms Too Short to Box with God, but this was vetoed by my
editor (thanks, Andy!).
· How to think about threats, risks, and appropriate responses to them
· How to protect publicly accessible hosts via good network design
· How to "harden" a fresh installation of Linux and keep it patched against newly discovered vulnerabilities with a minimum of ongoing effort
· How to make effective use of the security features of some particularly popular and securable server applications
· How to implement some powerful security applications, including Nessus and Snort
In particular, this book is about "bastionizing" Linux servers. 
The term bastion host can legitimately be used
several ways, one of which is as a synonym for firewall. 
(This book is not about building Linux firewalls,
though much of what I cover can/should be done on firewalls.) 
My definition of bastion host is a carefully
configured, closely monitored host that provides restricted but publicly accessible services to nontrusted users and systems. Since the biggest, most important, and least trustworthy public network is the Internet, my focus is on creating Linux bastion hosts for Internet use.
I have several reasons for this seemingly-narrow focus. 
First, Linux has been particularly successful as a server platform: even in organizations that otherwise rely heavily on commercial operating systems such as
Microsoft Windows, Linux is often deployed in "infrastructure" roles, such as SMTP gateway and DNS server, due to its reliability, low cost, and the outstanding quality of its server applications.
Second, Linux and TCP/IP, the lingua franca of the Internet, go together. 
Anything that can be done on a TCP/IP network can be done with Linux, and done extremely well, with very few exceptions. There are many, many different kinds of TCP/IP applications, of which I can only cover a subset if I want to do so in depth. Internet server applications are an important subset. Third, this is my area of expertise. Since the mid-nineties my career has focused on network and system security:
I’ve spent a lot of time building Internet-worthy Unix and Linux systems. 
By reading this book you will hopefully benefit from some of the experience I’ve gained along the way.

The Paranoid Penguin Connection
Another reason I wrote this book has to do with the fact that I write the monthly "Paranoid Penguin" security column in Linux Journal Magazine. About a year and a half ago, I realized that all my pieces so far had something in common: each was about a different aspect of building bastion hosts with Linux. By then, the column had gained a certain amount of notoriety, and I realized that there was enough interest in this subject to warrant an entire book on Linux bastion hosts. Linux Journal generously granted me permission to adapt my columns for such a book, and under the foolish belief that writing one would amount mainly to knitting the columns together, updating them, and adding one or two new topics, I proposed this
book to O’Reilly and they accepted. My folly is your gain: while "Paranoid Penguin" readers may recognize certain diagrams and even paragraphs from that material, I’ve spent a great deal of effort reresearching and expanding all of it, including retesting all examples and procedures. I’ve added entire (lengthy) chapters on topics I haven’t covered at all in the magazine, and I’ve more than doubled the size and scope of others. In short, I allowed this to become The Book That Ate My Life in the hope of reducing the number of ugly security surprises in yours.

Assumptions This Book Makes
While security itself is too important to relegate to the list of "advanced topics" that you'll get around to addressing at a later date, this book does not assume that you are an absolute beginner at Linux or Unix. If it did, it would be twice as long: for example, I can't give a very focused description of setting up syslog's startup script if I also have to explain in detail how the System V init system works.
Therefore, you need to understand the basic configuration and operation of your Linux system before my procedures and examples will make much sense. This doesn't mean you need to be a grizzled veteran of Unix who's been running Linux since kernel Version 0.9 and who can't imagine listing a directory's contents without piping it through impromptu awk and sed scripts. But you should have a working grasp of the following:
· Basic use of your distribution's package manager (rpm, dselect, etc.)
· Linux directory system hierarchies (e.g., the difference between /etc and /var)
· How to manage files, directories, packages, user accounts, and archives from a command prompt
(i.e., without having to rely on X)
· How to compile and install software packages from source
· Basic installation and setup of your operating system and hardware
Notably absent from this list is any specific application expertise: most security applications discussed herein (e.g., OpenSSH, Swatch, and Tripwire) are covered from the ground up.
I do assume, however, that with non-security-specific applications covered in this book, such as Apache and BIND, you’re resourceful enough to get any information you need from other sources. In other words, new to these applications, you shouldn’t have any trouble following my procedures on how to harden them. But you’ll need to consult their respective manpages, HOWTOs, etc. to learn how to fully configure and maintain them.


E-books Shop

Purchase Now !
Just with Paypal

Product details
 File Size
 9,008 KB
 576 p
 File Type
 PDF format
 2003 O'Reilly & Associates, Inc 

═════ ═════